For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

That depends. It's a good thing if it warns folk they're about to enter details on a non-secure page. If a site is purely static - no contact form, nothing interactive - then showing it as "not secure" may lead potential visitors to conclude it's a dodgy site and leave.

If a site is purely static - no contact form, nothing interactive - then showing it as "not secure" may lead potential visitors to conclude it's a dodgy site and leave.

Yeah, I appreciate that, but I would argue that it is a necessary evil to force an upgrade to https across the board. Most hosting providers offer a free SSL certificate nowadays, so it is usually a matter of just switching it on.

This is a welcome change to be honest. There's no reason not to use SSL these days. With let's encrypt it's easy and you just set it up once and leave it going. It's not like you even have to renew it and manually update the certificate each year any more.

There is one downside to SSL, it gives the illusion of security. People will be on a malicious site which uses HTTPS, see the padlock and assume it's legit. However, that's a small trade-off compared with the benefits.

I had a few issues with the software when I set it up on my website over a year ago. It was due to my customised nginx configuration. However, I recently set it up on another website with a more conventional configuration and it just worked.

It was literally install the packages then ran certbot --nginx and it did it all for me. Generated the certificates, validated my domain and even updated the nginx configuration. I had to manually set up the systemd unit to make it auto-renew. It's odd this isn't included as part of the package but it's only a matter of pasting some text into the unit file.

If the higher ups want web connections to be secure, why not just bake in basic encryption into HTTP? Granted this would provide no authenticity, but it would provide encryption. Think self-signed certificates without the scary warning.

I'm all for securing things and providing security. But I just don't know if this certificate and certification validation requirement is the right path.